If you are studying for CCIE Security or any Cisco Related Certification, you need to work on IPS. In this detailed tutorial, i will show you how you can emulate Cisco Intrusion Prevention System (IPS) 6 using Qemu & GNS3. I will be emulating IPS 4235 v 6.0.6(E3) in this tutorial. You can run upto 4 virtual sensors starting IPS-4235u v 6.0 . In a future blog post, i will show you also how to run virtual sensors , configure IPS for sensing interfaces using interface pair , inline vlan pair etc & connecting to IPS6 using ASDM . In this guide, i will setup sensor for 5 1000Mbps interfaces with Management0/0 being used for Command & Control ( C&C ) & rest of 4 interfaces (GigabitEthernet 0/0 – GigabitEthernet 0/3) as Sensing interfaces.

First & foremost, install the latest version of GNS3 i.e GNS v 0.7.3 if you haven’t already done so. Next, Cisco IPS Recovery CD will be required. You should be able to get one from you CCO account on Cisco.com.

Disclaimer: This tutorial is for learning purposes only. You can download Cisco IPS Recovery image from CCO directly.Otherwise,it shouldn’t be hard to get one from internet using some googling skills I will NOT provide any images so, please refrain from asking me as i won’t entertain any such requests/emails.

Cisco Secure ACS 5.X Deployment Guide E-Book

Now, lets get started. I will be breaking it down into several steps.

Software Version Used in this tutorial:

-> Platform : Windows 7 64bit edition (Tutorial will work on any OS )

-> GNS3 Version : v0.7.3

-> IPS Sensor Version : IPS 4235 v 6.0.6(E3)

-> Qemu Version : 0.11.0

-> Reference : http://inetpro.org/wiki/Using_qemu_to_run_Cisco_IPS

NOTE: Screenshots might get cropped on blog post so click on thumbnail to view full image.If you want to download tutorial , see end of this tutorial for GNS3 configuration file & PDF version of this tutorial.

Step 1 : Create 2 Disk Images (hda & hdb)

IPS disk creation

Step 2 : Load IPS CD image using qemu

IPS Image Recovery Process

When qemu boots, press ‘k’ to start the re-imaging process (image recovery). When reimaging is done, the software reloads, and qemu pauses in the BIOS screen complaining about boot issues. Exit the qemu process (using Ctrl-C)

Step 3 : Boot from the Re-Imaged Disks

Next step is to boot from the disk. When the system starts, you need to modify the grub boot entry to make sure the system starts at runlevel 1.

At the grub menu, press “e” to edit the first boot entry. In the following menu, select the 2nd line (that starts with “kernel=”) and press “e” again. Change the option init=/loadrc to init=1, then Enter followed by “b” to boot.

The IPS software now boots into runlevel 1. When prompted, press Enter and issue following commands: